← All Threat Actors
Threat Actor Profile

APT39

Burgundy Sandstorm Chafer COBALT HICKMAN G0087 ITG07 Radio Serpens REMIX KITTEN TA454
▲ High Threat
APT39 was created to bring together previous activities and methods used by this actor, and its activities largely align with a group publicly referred to as "Chafer." However, there are differences in what has been publicly reported due to the variances in how organizations track activity. APT39 primarily leverages the SEAWEED and CACHEMONEY backdoors along with a specific variant of the POWBAT backdoor. While APT39's targeting scope is global, its activities are concentrated in the Middle East. APT39 has prioritized the telecommunications sector, with additional targeting of the travel industry and IT firms that support it and the high-tech industry.
Origin Iran

Known TTPs

Network Service Discovery
Registry Run Keys / Startup Folder
External Proxy
Deobfuscate/Decode Files or Information
Keylogging
Data from Local System
PowerShell
Clipboard Data
OS Credential Dumping
Code Signing Policy Modification
AppInit DLLs
Shortcut Modification
Network Share Discovery
Service Execution
Encrypted/Encoded File
Tool
Remote Desktop Protocol
System Owner/User Discovery
Software Packing
Exfiltration Over C2 Channel
Malicious File
Scheduled Task
File Deletion
Bidirectional Communication
Archive via Utility
Web Shell
Ingress Tool Transfer
AutoHotKey & AutoIT
Malicious Link
Credentials from Password Stores
Screen Capture
LSASS Memory
Remote System Discovery
DNS
Command and Scripting Interpreter
Local Data Staging
File and Directory Discovery
Query Registry
Brute Force
BITS Jobs
Local Account
Python
Match Legitimate Resource Name or Location
Web Protocols
Internal Proxy
Valid Accounts
Input Capture
Spearphishing Link
Spearphishing Attachment
SMB/Windows Admin Shares
Exploit Public-Facing Application
Visual Basic
SSH

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD